{"id":"MGASA-2021-0337","summary":"Updated pjproject packages fix security vulnerabilities","details":"Currently, PJSIP transport can be reused if they have the same IP address\n+ port + protocol. However, this is insufficient for secure transport since\nit lacks remote hostname authentication. The vulnerability allows for an\ninsecure interaction without user awareness. It affects users who need access\nto connections to different destinations that translate to the same address,\nand allows man-in-the-middle attack if attacker can route a connection to\nanother destination such as in the case of DNS spoofing (CVE-2020-15260).\n\nAn issue has been found in pjproject. Due to bad handling of two consecutive\ncrafted answers to an INVITE, the attacker is able to crash the server\nresulting in a denial of service (CVE-2021-21375).\n","modified":"2026-01-30T09:47:25.837016Z","published":"2021-07-10T20:00:34Z","related":["CVE-2020-15260","CVE-2021-21375"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0337.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28998"},{"type":"REPORT","url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-8hcp-hm38-mfph"},{"type":"REPORT","url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-hvq6-f89p-frvp"},{"type":"REPORT","url":"https://www.debian.org/lts/security/2021/dla-2636"}],"affected":[{"package":{"name":"pjproject","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/pjproject?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.10-5.2.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0337.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}